pkexec: PATH environment variable

  • Open
  • quality assurance status badge
Details
2 participants
  • Hamzeh Nasajpour
  • Liliana Marie Prikler
Owner
unassigned
Submitted by
Hamzeh Nasajpour
Severity
normal

Debbugs page

Hamzeh Nasajpour wrote 3 years ago
(address . bug-guix@gnu.org)
46b16bf3-e41c-4ccf-9817-879df6eeb8cb@www.fastmail.com
The `PATH` environment variable is hard-code here:

We don't have any executable in these paths in guix:
```
/usr/sbin:/usr/bin:/sbin:/bin:/root/bin
```

Replicate the issue:
1. Run the `pkexec`
2. Enter your password
3. run `echo $PATH` in the opened terminal
4. You will see this path: `/usr/sbin:/usr/bin:/sbin:/bin:/root/bin`
5. You can't run most of the commands. (`ls`, `passwd`, `chpasswd` and so on.)

Expected Behavior:
Running all of the commands without any error.

Isn't it? Should not we patch the `PATH` environment variable in `pkexec` source codes? Either way, some applications like `lxqt-admin-user` and `lxqt-admin-time` has an issue and they can't run the commands via `pkexec`. I get this error when I want to change user password via `lxqt-admin-user`. It's using `pkexec` to change password.

```
/run/current-system/profile/bin/lxqt-admin-user-helper: line 7: exec: passwd: not found
```

--

Hamzeh Nasajpour
PantherX Team
Liliana Marie Prikler wrote 3 years ago
57fde5d78af3ecc18b57191238cd81b0de65378e.camel@gmail.com
Hi,

Am Sonntag, den 21.11.2021, 11:33 +0330 schrieb Hamzeh Nasajpour:
Toggle quote (26 lines)
> The `PATH` environment variable is hard-code here:
>
> https://github.com/freedesktop/polkit/blob/master/src/programs/pkexec.c#L882-L886
>
> We don't have any executable in these paths in guix:
> ```
> /usr/sbin:/usr/bin:/sbin:/bin:/root/bin
> ```
>
> Replicate the issue:
> 1. Run the `pkexec`
> 2. Enter your password
> 3. run `echo $PATH` in the opened terminal
> 4. You will see this path: `/usr/sbin:/usr/bin:/sbin:/bin:/root/bin`
> 5. You can't run most of the commands. (`ls`, `passwd`, `chpasswd`
> and so on.)
>
> Expected Behavior:
> Running all of the commands without any error.
>
> Isn't it? Should not we patch the `PATH` environment variable in
> `pkexec` source codes? Either way, some applications like `lxqt-
> admin-user` and `lxqt-admin-time` has an issue and they can't run the
> commands via `pkexec`. I get this error when I want to change user
> password via `lxqt-admin-user`. It's using `pkexec` to change
> password.
I'm getting some flashbacks from my ITSec courses here. pkexec is
protecting itself against a malicious PATH attack. The paths are
chosen somewhat arbitrarily, but on traditional distros this ought to
ensure, that no privilege escalation occurs. We could inject
/run/current-system, given that /run likewise ought to be root-writable
only, but I'm not sure how much that helps. The obvious solution is to
use canonical (store) paths with pkexec.

Cheers
Hamzeh Nasajpour wrote 3 years ago
538d2dd4-7777-49ad-b0e5-8ceb12d03c60@www.fastmail.com
Hi Lillana,

Thanks for your response and sorry for delay.

Toggle quote (4 lines)
> We could inject /run/current-system, given that /run likewise ought to be root-writable
> only, but I'm not sure how much that helps. The obvious solution is to
> use canonical (store) paths with pkexec.

Honestly, I couldn't find out your solution. Can you clarify it?

Regards,

--

Hamzeh Nasajpour
PantherX Team
Liliana Marie Prikler wrote 3 years ago
0b97c774c903f45cb9ca3efbb12d55459d7d45c8.camel@gmail.com
Am Sonntag, dem 28.11.2021 um 11:09 +0330 schrieb Hamzeh Nasajpour:
Toggle quote (11 lines)
> Hi Lillana,
>
> Thanks for your response and sorry for delay.
>
> > We could inject /run/current-system, given that /run likewise ought
> > to be root-writable
> > only, but I'm not sure how much that helps.  The obvious solution
> > is to
> > use canonical (store) paths with pkexec.
>
> Honestly, I couldn't find out your solution. Can you clarify it?
That is instead of writing "pkexec sh", write "pkexec /run/current-
system/profile/bin/sh" or similar.

Cheers
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 52011@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 52011
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch
You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags
mumi command -t +confirmed -t +easy
Or, remove the moreinfo tag and set the help tag
mumi command -t -moreinfo -t +help